Shulou(Shulou.com)11/24 Report--

Beijing, September 26 (Xinhua) Technology companies, known for their technology, should know best how to fight hackers. But a series of hacker attacks show that even these big technology companies have weaknesses, especially people.

▲ people become a weak link in hacker attacks.

Just recently, taxi-hailing giant Uber and "GTA6" game developer Rockstar Games both disclosed major hacker attacks that affected their operations. This year, a number of companies have been victims of hacking attacks, including some of the world's best technology companies, such as chip giant Nvidia and authentication company okta.

The weak "moat" traditionally, enterprises have adopted a "castle and moat" network security model. No one outside the network can access internal data, but everyone within the network can. The internal network of an enterprise can be imagined as a castle and the network boundary can be imagined as a moat. Once the drawbridge is lowered and someone crosses it, they can move freely in the castle.

"We just built a huge moat around the castle. once you break through the moat, you go in." Said Bowie Boe Hartman, former chief technology officer at Goldman Sachs. His team at Goldman Sachs built the consumer banking infrastructure, making Apple's credit card and its proud privacy features possible.

This peripheral security makes sense when the corporate network consists mainly of personal computers physically connected to office buildings. But today, from personal mobile devices and home computers to cloud services and Internet of things devices, a variety of devices, employees, and external contractors are increasingly connected to enterprise systems. Simply protecting every device and account that may be connected to a company's system is difficult and often disastrous because an attacker only needs to break through one door to gain access to the entire system.

▲ Uber suffers cyber attack

In Uber, for example, attackers used a preempted contractor account to gain access to internal systems, posted messages on a company-wide Slack channel, and took over an account to communicate with security researchers. Uber had to temporarily suspend access to the intercom system. Uber said in a statement last Monday that it found no indication that hackers had accessed user accounts or databases used by Uber to store sensitive user information.

What these hackers have in common is that they trick people inside the target company or people close to the target company into handing over network access certificates or other key information, a technology known as "social engineering". Uber, for example, said hackers triggered automatically generated access requests, resulting in a contractor's phone being harassed by spam and eventually approving a request. Other examples include fake "phishing" emails to trick employees into sending login credentials to the attacker.

Zero trust now, technology companies have come to an eye-catching conclusion: since the Trojan War, the weakest link in the field of security has been humans. Increasingly, they have adopted a new approach to security: they don't trust anyone.

This idea, known as the "zero trust architecture", assumes that hackers can break into an enterprise, no matter how powerful its external defense system is. Therefore, enterprises need to ensure that even the users in the network do not cause serious damage.

Average weekly cyber attacks on ▲ in the United States and around the world

In fact, many of the design principles that guide engineers to build zero-trust systems are easy to understand. If you find yourself recently having to log on to corporate systems or bank websites more frequently, this is a "zero trust" strategy, that is, periodically "rotate" certificates to allow people and computers to access other systems. The idea is that even if attackers get into your account, they have limited time to sabotage it.

Another zero-trust principle known as "behavioral analysis" is that software should monitor the behavior of people on the Internet and mark anyone who has done something unusual, such as trying to withdraw a large sum of money from the bank. For example, when you travel to a new city, if there is a credit card purchase that does not fit your usual style, the bank will send you a text message, which is based on the same analysis.

Google advanced deployment although many enterprises have only now adopted a true zero-trust system, the security industry has been discussing the issue of trust for more than a decade.

One of the companies realized early on that walls and moats could no longer provide adequate protection: Google. After learning the lessons of cyber security in 2009, Google began to deploy its own version of the zero-trust system, which it called BeyondCorp.

▲ Google deployed a "zero trust" system a long time ago

A Google spokesman said the company's defense applies to all parts of the IT system: users, devices, applications and services, regardless of ownership, physical or network location. All these factors will be treated with the same inherent skepticism. Naturally, Google has also turned it into a product for companies that pay for its cloud services.

Creating a top-down zero-trust architecture for a company's existing IT infrastructure requires the commitment of the company's top leaders, which may eventually require a fundamental internal transformation of its system, says Hartman. Hartman is currently a co-founder of healthcare startup Nomi Health.

The attack comes a few months after Nvidia, the most valuable semiconductor company in the United States, released a digital fingerprinting tool called Morpheus that runs on Nvidia's hardware. It uses artificial intelligence to analyze hundreds of billions of user behaviors every week and to mark instances when users seem to be doing something unusual and potentially risky. For example, a user who usually uses Microsoft Office suddenly tries to access the tools and repositories where the company's source code is located.

Therefore, Nvidia knows a thing or two about "zero trust". However, its system was attacked in March this year. After that, Nvidia CEO Huang Renxun (Jensen Huang) said the incident was a wake-up call for Nvidia and vowed to accelerate the embrace of a zero-trust architecture.

▲ Huang Renxun said the attack was a wake-up call.

However, the introduction of a "zero trust" system is not without shortcomings, including that it may limit the productivity of engineers because they all want to get as much access to the system as possible. Striking a balance between security and accessibility means constant dialogue between the security team and the employees they serve, says Justin Boitano, vice president of enterprise computing at Nvidia. This is helpful, he added. Huang Renxun, his CEO, pointed out cyber security issues bluntly after the March attack. "employees seem to understand that we are living in a new world and that there may be bad guys in your network".

Hartman points out that the breadth of this change means that companies rebuilding old systems need to set priorities, starting with protecting their apple of the eye: source code, other intellectual property rights, customer information, and so on. After that, they can work through other parts of the system. Vasu Jakkal, vice president of corporate security at Microsoft, points out that the scale of this challenge partly explains why only 22% of companies implement multiple certifications, even though it is one of the best first-line network access defenses.

Even proponents of zero trust admit that zero trust is not a panacea, in large part because it takes a lot of time and effort to do so. But in a world where regulators, shareholders and customers are prepared to hold companies and their leaders accountable for hacking and data breaches, and attackers are smarter and more aggressive than ever before, companies may not have much choice. They must work to make themselves less vulnerable.

"in the new world, you have to assume that there will always be bad guys on your network," says Boitano of Nvidia. "the question is how do you protect your resources and the company's intellectual property rights."

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.